DOM XSS in document.write sink using source location.search

Description

The website in this lab contains a DOM-based cross-site scripting vulnerability in the search query tracking functionality. It uses the JavaScript document.write function, which writes data out to the page. The document.write function is called with data from location.search, which can be controlled using the website URL.

Reproduction and proof of concept

  1. Enter a random alphanumeric string into the search box.

  2. Right-click and inspect the element, and observe that your random string has been placed inside an img src attribute.

DOM XSS

  1. Break out of the img attribute:

"><script>alert('Hello World')</script>

DOM XSS

DOM XSS